Cleaning up an infected website – Part I: WordPress and the Pharma Hack

We get to deal with infected web sites on a daily basis and the most common question we get is how do we clean websites. What steps do we take? What should you do if you want to clean up your site if it gets infected?

This is part one of a small series of posts showing how to clean up sites. We will start with how to clean up “Pharma Hack” on a WordPress driven site due to the popularity. You can follow the series here: https://blog.sucuri.net/category/guides.

*Note that this post covers website clean up only (Mostly applicable to shared servers). If you have a dedicated server (or VPS), there are additional steps to secure it, not covered here.**If the items contained in this post are more than you want to take on, we are here to help. Visit Sucuri or email us at support@sucuri.net

1- Detecting (discovering) that you are hacked

This is the most important step. Most people don’t realize they’ve been exploited, here are a couple things you can do to check your site:

Fire up Google and do a search for “site:yoursite.com”. Check to see if there are any strange titles or spammy results returned on your search. If you see Viagra, Cialis or any other flavor of medicine returned by Google on your search, you’re probably dealing with the Pharma Hack.

If you’re not sure after checking Google, use http://sitecheck.sucuri.net to run a scan. Type your domain name, and if it returns the Pharma Hack (or any other malware) you will see an alert:

2- Fixing Vulnerabilities

If you’re WordPress site is infected with the Pharma Hack, here are a few things you can do to fix some of the vulnerabilities:

1-Make sure your WordPress install is upgraded up to date. If not, update it ASAP. Even before you start cleaning up the malware.
2-Change your WordPress password (for all admin / editor accounts) and your FTP (or SSH) password.
3-Update all your plugins.

3- Removing backdoors

This is the first step in the clean up process. These types of attacks often times include loading backdoor files on your server to allow access to attackers in the future. If you don’t remove the backdoors, the attackers will be able to reinfect your site pretty easily. These are the files to look for AND REMOVE:

4-Cleaning up the file system

After successfully creating a backdoor into your system, the attackers usually add a new plugin file that is called everytime WordPress is loaded. Here are some examples of the file names we see regularly:

The file names typically follow the above naming convention, but the plugin names used are random. We do not recommend you rely only on these samples for your search, and also try looking for any plugin file with the “wp_class_support” string on it.

In a previous post about the Pharma hack you mention doing a string search on the files looking for “php $[a-zA-Z]*=’as’;” and also about the search noted under number 3 – how do you do a string search on the php files on my install?

I checked the above website and it says mine comes back clean, yet it redirects to Feedburner in addition my email address jason@jasonestevens.com is not working either. Any idea of this type of attack or is something else going on? Thanks for the help.

kw_45

My site is infected with a version of the Pharmahack that your tool is not detecting. If I run it through Webmaster tools as Googlebot the Pharma crap appears, but your tool does not pick it up.

fiverrtutorial

can sucuri pick up hack that effected your database?

Thijs

Recently a Pharma Hack was executed on my WordPress website. The hack was activated by running the following plugin file: /wp-content/plugins/db.php. As this file has not been mentioned in your article I think it’s important to share it with you.

http://trona-ca.com David Stevens

Who is your web host provider? I would like to track back links on a site hosted on a different provider than mine. You don’t have to give me your URL but I would like you to give me the URL of one incoming link with a drug name in it. I’m doing research if you are wondering.

http://trona-ca.com David Stevens

I have a question: What would happen if the sites that Pharma Hack is redirecting to or putting frames had to shut down and reopen with a new URL. Would this kill the hack and force the crackers to have to go back and patch in a new URL?

Subbu

In all my WordPress sites, the code added like below:

Can anybody help me, how to remove this code from all the files at a time.
Thanks.

Subbu

Subbu

Showing like: <?php /*versio:3.02*/ $GLOBALS["ktrmpz"] this.

Wise Geek

Do you need a university degree, Do you want to hack a college degree of any university,